CLIAMS:What is claimed is:
1. A method for conducting transaction, the method comprising:
a. receiving purchase order from a customer from a plurality of customers, wherein the purchase order comprises:
a. a product to be purchased; and
b. identity information of a mobile device of the customer, wherein the identity information of the mobile device includes mobile identity number of the customer;
b. issuing an authorization request to the customer;
c. obtaining authorization data from the customer in response to the issued authorization request;
d. providing the authorization data to a certification authority;
e. receiving a verification response for the authorization data from the certification authority;
f. generating transaction information based on the received verification response;
g. transmitting the transaction information to a financial organization;
h. collecting transaction status from the financial organization, wherein the financial organization interacts with the certification authority to process the transaction; and
i. sending an update based on the transaction status to the customer upon completion of the transaction.
2. The method as claimed in claim 1, wherein the authorization data comprises digital signature of the customer.
3. The method as claimed in claim 1, wherein the certification authority issues and validates digital identity information.
4. The method as claimed in claim 1, wherein the transmitted transaction information comprises:
a. the verification response received from the certification authority;
b. a customer account mapped to the mobile device of the customer;
c. account details of a merchant; and
d. an amount to be transferred from the account of the customer to the account of the merchant.
5. A method for validating digital identity information by a certification authority, the method comprising:
a. getting a first set of data from a merchant, wherein the first set of data comprises digital identity data of a customer;
b. verifying the first set of data;
c. obtaining second set of data from a financial organization, wherein the second set of data comprises digital identity data of the merchant; and
d. verifying the second set of data.
6. The method as claimed in claim 5, wherein the digital identity data comprises a digital certificate.
7. The method as claimed in claim 6, wherein the digital certificate comprises:
a. combination of letters, numbers, and symbols;
b. certificate serial number;
c. certificate validity period;
d. public key for authenticating the digital certificate;
e. identifier of the certificate authority; and
f. certificate status.
8. A system for conducting transaction, the system comprising:
a. an authorization module to generate authorization request upon reception of purchase request;
b. a transceiver module, wherein the transceiver module is configured to:
a. transmit authorization request to the customer;
b. receive the authorization data entered by the customer;
c. provide authorization data to a certification authority;
d. receive authorized data from the certification authority;
e. send transaction information to a financial organization; and
f. receive the updated information from the financial organization;
c. a verification module to verify the authorization data of the customer;
d. a processor module, wherein the processor module is configured to:
a. generate transaction information; and
b. transfer the amount of funds from the customer account to the merchant account.
9. The system as claimed in claim 8, wherein the transceiver module comprises a computing device.
10. The system as claimed in claim 8, further comprising a notification module to inform the customer about the status of the transaction.
,TagSPECI:METHOD AND SYSTEM FOR FACILITATING ONLINE TRANSACTION
FIELD OF THE INVENTION
[0001] The present invention relates to transaction and in particular, it relates to security of transaction.
BACKGROUND OF THE INVENTION
[0002] The steady growth of the Internet has resulted in an electronic commerce industry, where more and more products and services are available to consumers at ease. People adopt different methods to sell goods and services over the internet. For example, a company can list its products and/or services for sale on its own website. The company/retail shopkeepers can also list products and services on other e-commerce marketplaces, such as eBay™. The creation and management of products or services listings on each of these marketplaces differ from one marketplace to another. Even then, these marketplaces follow a common methodology to conduct commercial transactions with their customers.
[0003] It is possible for buyers to find the best products, goods, merchandise etc. through the electronic-stores at rates much lower than that at the conventional stores. In addition to that, the user has the luxury to compare a large variety of goods to find the one that best suits his requirements. However, even with all the aforementioned advantages, the online shopping process has some drawbacks. The user has to undergo a long process to complete the transaction. Contrary to simply paying cash at the conventional stores without compromising with his personal details, the user has to pass through a number of time-consuming stages. He is further compelled to furnish his/her personal information to cross each of the stages of the transaction. Furthermore, the same procedure has to be followed even if the payment amount is small. Effectively, the long check out time and an even longer transaction processing time added to the amount of data that the user is asked to furnish to complete the transaction dilutes the online shopping experience of the customer.
[0004] The conventional system discloses a process wherein the purchase details are sent to the transaction intermediary server together with the consumer information. These details are scanned to identify the user’s resident registration number, which is a type of digital signature. Once the digital signature is received, the transaction intermediary server verifies the personal certificate using the certificate authority's digital signature verification key associated with the received certificate. However, this approach lacks the desired level of security owing to the user’s registration number being the only source of authentication.
[0005] In another approach, a “merchant” may have a merchant website that can interact with a consumer device to conduct transactions with a consumer wishing to purchase products from the merchant’s website. To complete the transaction on the merchant payment page, the consumer has to enroll a portable communication device by providing a device identifier in a payment information online request form on the merchant website. The merchant in this case does not verify the authenticity of the consumer but sends a transaction request to the issuer bank. This often results in low levels of authentication and security.
[0006] In light of the above discussion, there is a need for a method and system which would overcome all the above stated problems.
BRIEF DESCRIPTION OF THE INVENTION
[0007] The above-mentioned shortcomings, disadvantages and problems are addressed herein which will be understood by reading and understanding the following specification.
[0008] In embodiments, the present invention provides a method for making a secure transaction. The method includes receiving purchase order from a payee, issuing an authorization request to the payee, obtaining authorization data from the payee in response to the issued authorization request, providing the authorization data to a certification authority, receiving a verification response for the authorization data from the certification authority, generating transaction information based on the received verification response, transmitting the transaction information to a financial organization, and collecting transaction status from the financial organization. The financial organization interacts with the certification authority to process the transaction. The purchase order includes a mobile identity of the payee and an identifier of the product to be purchased. The mobile identity of the payee is used to seek authorization from the payee to initiate the electronic payment and to verify the authenticity of the payee from the certification authority.
[0009] In an embodiment, the method further includes notifying the payee and the recipient, on completion of the payment process.
[0010] In an embodiment, the mobile identity of the payee includes at least one of an International Mobile Subscriber Identity (IMSI), a Mobile Subscriber Identity Number (MSISDN), and a mobile digital signature of a mobile device of the payee.
[0011] In an embodiment, the authorization data includes a digital signature. In another embodiment, the authorization data includes a security pass-code.
[0012] In another aspect, the present invention provides a system for making an electronic payment. The system includes a transceiver, a verifier, a storage module, and one or more processors. The transceiver receives a purchase order, and an identifier associated with a recipient. The transceiver further seeks authorization from a payee by transmitting an authorization request message to a mobile device of the payee, and receives an authorization data from the payee. The purchase order includes a mobile identity of the payee and a transaction amount. The storage module stores mobile device information associated with the mobile identity. The one or more processors verify the authorization data, generate an authorization response and initiate the electronic payment of the transaction amount.
[0013] In an embodiment, the transceiver notifies the payee and the recipient after the transaction is completed.
[0014] Systems and methods of varying scope are described herein. In addition to the aspects and advantages described in this summary, further aspects and advantages will become apparent by reference to the drawings and with reference to the detailed description that follows.
BRIEF DESCRIPTION OF THE DRAWINGS
[0015] Figure 1 illustrates a system for making an electronic payment, in accordance with various embodiments of the present invention;
[0016] Figure 2 illustrates a flowchart for making the electronic payment, in accordance with various embodiments of the present invention;
[0017] Figure 3 illustrates a block diagram of a system for making the electronic payment, in accordance with various embodiments of the present invention;
[0018] Figure 4 illustrates a flowchart for verification of a payee making the electronic payment, in accordance with various embodiments of the present invention;
[0019] Figure 5 illustrates a sequence diagram of a method for making the electronic payment, in accordance with various embodiments of the present invention;
[0020] Figure 6 illustrates a mobile device authorizing the request for initiation of the electronic payment, in accordance with various embodiments of the present invention;
[0021] Figure 7 illustrates the mobile device requesting the payee to enter security pin, in accordance with various embodiments of the present invention; and
[0022] Figure 8 illustrates the mobile device of the payee after sending an authorization data, in accordance with various embodiments of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0023] In the following detailed description, reference is made to the accompanying drawings that form a part hereof, and in which is shown by way of illustration specific embodiments, which may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the embodiments, and it is to be understood that other embodiments may be utilized and that logical, mechanical, electrical and other changes may be made without departing from the scope of the embodiments. The following detailed description is, therefore, not to be taken in a limiting sense.
[0024] Figure 1 illustrates a system 100 for making an electronic payment. The system includes a payee 160 with a mobile device 110, a payee 170 with a mobile device 120, a recipient 130, a certification authority 140, and a financial organization 150.
[0025] The payee 160 refers to a user who permits transfer of money to the recipient 130. The electronic payment occurs between the payee 160 and the recipient 130. In an embodiment, the payee 160 is a customer and the recipient 130 is a merchant. The customer pays the merchant after selecting a product. In another embodiment, the payee 160 is an employer and the recipient 130 is an employee. The employer pays the employee remuneration for the services rendered by the employee.
[0026] The mobile device 110 and/or the mobile device 120 refer to handheld electronic devices that are used to communicate over a communication network. Examples of the mobile device 110 and the mobile device 120 are a cell phone, a personal digital assistant (PDA), a wireless email terminal, a tablet computer, and the like. Examples of the communication network are a local area network, a wide area network, a wireless network, a telecommunication network, and the like. Types of the telecommunication network include but may not be limited to a global system for mobile communication (GSM) network, a general packet radio service (GPRS) network, a code division multiple access (CDMA) network, enhanced data GSM environment (EDGE), wideband CDMA (WCDMA), and the like.
[0027] The capabilities and functions of the payee 160 and the payee 170 are the same. Moreover, the capabilities and functions of the mobile device 110 and the mobile device 120 are the same.
[0028] The recipient 130 has a payment terminal. The payment terminal refers to an electronic device, which co-ordinates with the different entities involved in the transaction. The payment terminal generates transaction information after successful verification of the payee 160. The transaction information is a payment order for transferring money from the account of the payee 160 to the recipient 130. In an embodiment, the payment terminal is a server located at the recipient 130’s end. The server receives a purchase order from the payee. Consequently, it verifies the payee 160. Finally, it generates the transaction information. In another embodiment, the payment terminal is a general-purpose computer of the payee 160. The general-purpose computer, at the behest of the payee 160, generates the transaction information. In yet another embodiment, the payment terminal is the mobile device 110. In yet another embodiment, the payment terminal is a point of sale (POS) terminal.
[0029] Figure 2 illustrates a flowchart 200 for making the electronic payment, in accordance with various embodiments of the present invention. The flowchart initiates at step 210. At step 220, the server of the recipient 130 receives a purchase order from the payee 160. The purchase order includes a mobile identity of the payee 160 and a transaction amount. The transaction amount indicates an amount of money or funds to be transferred from the payee 160 to the recipient 130.
[0030] Mobile identity relates to an extension of digital identity provided via the mobile device 110 and communication networks. Mobile identity relates to a manner of verifying personal identity using mobile device 110. Mobile identity is often based on a combination of knowledge factor, possession factor, and inherence factor.
[0031] Knowledge factor refers to a set of parameters that the payee 160 would remember. For example, knowledge factor is a password, a security code, a security question, and the like. Possession factor refers to a set of parameters that are within the user’s possession. For example, possession factor is an encrypted subscriber identification module (SIM), an encryption module on the mobile device 110 that generates security pass-codes, an identification communication tag on the mobile device 110, a one-time password delivered to the mobile device 110, mobile digital signature contained on the mobile device 110, and the like. Inherence factor refers to a set of parameters that are inherent to the user. For example, inherence factor is the biometric signature of the payee 160, the iris scan of the user, the geographical location of the payee 160, and the like.
[0032] In an embodiment, mobile identity of the payee is it fine relates to digital signatures. In this embodiment, possession factor is used. In an embodiment, the subscriber identification module (SIM) card maintains the digital certificates of the payee 160. In order to use the certificates, the payee 160 has to enter a personal, secret code.
[0033] The mobile device 110 verifies the entered security code. After successful verification, the mobile device 110 allows access to the digital certificates of the payee 160. In another embodiment, a mobile digital signature application is present on the mobile device 110. The mobile digital signature application on the mobile device 110 receives the digital signature from a security server after the registration of the mobile device 110 for creation of mobile identity.
[0034] In another embodiment, mobile identity is an identity code unique to the mobile device 110.Examples of the identity code could be an International Mobile Subscriber Identity (IMSI), a Mobile Subscriber Identity Number (MSISDN) of the mobile device 110, and the like. In another example, a key generator present on the mobile device 110 generates the identity code. The identity code is used to identify the mobile device 110 uniquely associated with it, thereby serving the purpose of a unique identifier.
[0035] In yet another embodiment, mobile identity relates to biometric signatures and digital signatures. In this embodiment, a combination of inherence factor and possession factor is used. The payee 160 scans the payee 160’s thumbprint on the mobile device 110. The mobile device 110 generates and transmits a response including the digital signature of the payee 160 and the scanned biometric signature. The digital signature is stored on the subscriber identification module (SIM) card or on the mobile device 110.
[0036] In an embodiment, the payee 160 provides a product identification code for the product that the payee 160 wishes to purchase and the mobile identity of the payee 160 to the recipient 130. Consequently, the recipient 130 generates an authorization request message. The authorization request message includes the transaction amount and the mobile identity of the payee 160. Further, the recipient 130 sends the authorization request message to the mobile device 110 of the payee 160.
[0037] Subsequently, the payee 160 authorizes the authorization request by providing an authorization data. The authorization data includes a password, a security code, and the like.
[0038] In an embodiment, the payee 160 digitally signs the authorization request using a digital signature associated with the mobile identity of the payee 160. On receiving the authorization request, the mobile device 110 of the payee 160 retrieves a public key associated with the mobile identity. The mobile device 110 then transmits the retrieved public key to the recipient 130.
[0039] In another embodiment, a mobile digital signature application present on the mobile device 110 digitally signs the authorization request. In an embodiment, the mobile digital signature application on the mobile device 110 can generate a unique digital signature. In another embodiment, the mobile digital signature application obtains a digital signature from a secure third party for signing the authorization request.
[0040] In an embodiment, the authorization data includes the current location information of the payee 160. In this embodiment, the certification authority 140 tracks behavior of the payee 160 using the mobile device 110 of the payee 160. Further, the certification authority 140 analyses the behavior of the payee 160 to identify patterns such as preferred travel routes, preferred shopping localities, and the like, to create a user profile. Subsequently, the certification authority 140 compares the current location information of the authorization data against the user profile. The result of the comparison determines the probability of the payee 160 performing the current action. Finally, the certification authority 140 authenticates the payee 160’s action based on the probability calculated.
[0041] Moreover, the method includes obtaining the authorization data at step 240 and verifying the authorization data at step 250. Verification of the received authorization data ensures the validity of the received authorization data. The certification authority 140 verifies the mobile identity of the payee 160 using the authorization data. The certification authority 140 uses the public key to verify the signed authorization data. In an embodiment, a verification server performs the verification.
[0042] Further, the method includes generating transaction information based on the verified authorization data. Accordingly, the recipient 130 transmits the transaction information to a financial organization 150. In an embodiment, a server of the recipient 130 generates the transaction information. The transaction information includes the account details of the payee 160, the account details of the recipient 130, the verified authorization data received from the certification authority 140, and an amount to be transferred from the account of the payee 160 to the account of the recipient 130.
[0043] In addition, the method includes collecting the transaction status of a transaction amount at step 270. The financial organization 150 sends the transaction data received from the recipient 130 to the certification authority 140. The certification authority 140 verifies the recipient 130. Subsequently, the financial organization transfers an amount equal to the transaction amount to the account of the recipient 130.
[0044] In an embodiment, the certification authority 140 verifies the recipient 130 based on the account details of the recipient 130. In another embodiment, the certification authority 140 verifies the recipient 130 by sending an authorization request to the recipient 130. In yet another embodiment, the recipient 130 registers with the certification authority 140 before the recipient 130 engages in a transaction.
[0045] In an embodiment, the financial organization 150 sends a notification message to the mobile device 110 of the payee 160 and an electronic device of the recipient 130. The notification message notifies the payee 160 and the recipient 130 with a result of the transaction on completion of the transaction.
[0046] In another aspect, Figure 3 illustrates a block diagram 300 of a system 310 for making electronic payments, in accordance with various embodiments of the present invention.
[0047] The system 310 includes a transceiver 320, a storage module 330, a verifier 340, and one or more processors 350.
[0048] The transceiver 320 receives the purchase order from the payee 160, transmits authorization request to the payee 160, and receives authorization data from the payee 160. The transceiver 320 further sends the received authorization data to a certification authority 140 and receives back the authorized data from the certification authority. Furthermore, the transceiver 320 sends the transaction information to a financial organization 150 and receives the transaction status from the financial organization 150.
[0049] The storage module 330 stores information of the mobile device 110 associated with the mobile identity. In addition, the storage module 330 stores the product details.
[0050] The one or more processors 350 generate the authorization data and verify the authorization data. In addition, the one or more processors 350 generate the transaction information, and initiate the electronic payment of the transaction amount.
[0051] In an embodiment, the mobile device 110 digitally signs the authorization request using a digital signature associated with the mobile identity. The digital signature includes the public key. On receiving the authorization data from the mobile device 110, the one or more processors 350 retrieve a public key associated with the mobile identity. The one or more processors 350 verify the signed authorization data using the public key.
[0052] In an embodiment, the one or more processors 350 retrieve the account number of the payee 160 using the mobile identity of the payee 160. The one or more processors 350 retrieve the account number of the recipient 130 using the identifier associated with the recipient 130. Then, the one or more processors 350 transfer an amount equal to the transaction amount from the payee 160 to the recipient 130.
[0053] In another embodiment, the one or more processors 350 inform the financial organization 150 regarding the authenticity of the payee 160 and the recipient 130. The one or more processors 350 transmit the transaction information and the identifier associated with the recipient 130 to the financial organization 150. The financial organization 150 sends the identifier associated with the recipient 130 to the certification authority 140 for verification. After successful verification, the financial organization 150 retrieves the account number of the payee 160 using the mobile identity of the payee 160. The financial organization 150 retrieves the account number of the recipient 130 using the identifier associated with the recipient 130. Then, the financial organization 150 transfers an amount equal to the transaction amount from the payee 160 to the recipient 130.
[0054] In an embodiment, the transceiver 320 notifies the payee 160 and the recipient 130. The transceiver 320 sends a notification message to the mobile device 110 of the payee 160 and an electronic device of the recipient 130. The notification message notifies the payee 160 and recipient 130 regarding the completion of the transaction.
[0055] Figure 4 illustrates a flowchart 400 for verification of the payee making the electronic payment, in accordance with various embodiments of the present invention. The flowchart 400 initiates at step 410. At step 420, the server of the recipient 130 receives a purchase order from the payee 160. As explained above, the purchase order includes the mobile identity of the payee 160 and the transaction amount. Based on the received purchase order, the server of the recipient 130 decides to send an authorization request to the payee 160. If the payee 160 does not receive the authorization request, the flowchart 400 terminates at step 480. If the payee receives the authorization request, the flowchart 400 proceeds to step 440.
[0056] At step 440, the server of the recipient 130 obtains the signed authorization data from the payee 160. At step 450, the server of the recipient 130 verifies the received authorization data by coordinating with the certification authority 140. If the certification authority 140 invalidates the authorization data, the flowchart terminates at step 480. If the certification authority 140 verifies the authorization data and sends the verified authorization data to the recipient of the server 130, the server of the recipient 130 considers the payee 160 to be verified. The server of the recipient 130 generates the transaction information based on the received authorization data.
[0057] At step 460, the server of the recipient 130 transmits the transaction information to the financial organization 150. The financial organization 150 coordinates with the certification authority 140 to verify the recipient 130. The financial organization transfers the amount of money from the account of the payee 160 to the account of the recipient 130 after successful verification of the recipient 130. The financial organization 150 provides the status of the transaction to the recipient 130. The flowchart terminates at step 480.
[0058] Figure 5 illustrates a sequence diagram 500 of a method for making the electronic payment, in accordance with various embodiments of the present invention. The sequence diagram has four participants: a mobile device 510 of the payee 160, a server 515 of the recipient 130, a certification authority 520, and a financial organization 525. The actions 530-560, displayed in the sequence diagram 500 are same as the steps 220-270 of flowchart 200.
[0059] Figure 6 illustrates a screenshot 600 of a mobile device 610 of the payee 160 on receiving a message to authorize the electronic payment, in accordance with various embodiments of the present invention. On receiving the message, the mobile device 610 presents the payee 160 with options to both authorize the payment or exit and deny the payment. A button 620 is for authorizing the electronic payment and a button 630 is for exiting and denying the payment.
[0060] Figure 7 illustrates a screenshot 700 of a mobile device 710 of the payee 160 requesting the payee 160 to enter a security pin, in accordance with various embodiments of the present invention. As explained above, the payee 160 has to enter the security code to use the digital certificates. A button 720 is for submitting the security pin after entering the security pin.
[0061] Figure 8 illustrates a screenshot 800 of a mobile device 810 of the payee 160 on transmitting an authorization data, in accordance with various embodiments of the present invention. The mobile device 810 displays a submission message to confirm the transmission of the authorization data. Button 820 is for exiting after submitting the security pin
[0062] Figure 9 is a block diagram 900 of a subscriber identification module (SIM) card 910, in accordance with various embodiments of the present invention. In an embodiment, as explained above, the subscriber identification module (SIM) card 910 is for storing the digital signature of the payee 110. The subscriber identification module (SIM) card 910 follows Java Card specifications. Java-based applets and applications are run on the subscriber identification module (SIM) card 910.
[0063] The subscriber identification module (SIM) card 910 includes a hardware crypto processor 920, a SIM application 930, a symmetric encryption key 940, a secure key storage module 950 and an Integrated Circuit Card Identifier (ICCID) storage module 960.The hardware crypto processor 920 is a true random number generator. The hardware crypto processor 920 generates random numbers for cryptography.
[0064] The SIM application 930 refers to a SIM Application Toolkit (STK) installed on the subscriber identification module (SIM) card 910. The SIM application 930 is responsible for overall control of the digital signature on the subscriber identification module (SIM) card 910. For example, the SIM application 930 generates the digital signature using the hardware crypto processor 920. In another example, as explained above, the SIM application 930 requires the payee 110 to enter a security pin to access the digital signature.
[0065] The symmetric encryption key 940 refers to an encryption key unique to the subscriber identification module (SIM) card 910. The symmetric encryption key 940 is stored in subscriber identification module (SIM) card 910 during the generation of the subscriber identification module (SIM) card 910. The symmetric encryption key 940 is used for secure communication. The mobile device 120 encrypts all incoming and outgoing communication arising from the SIM application 930 with the symmetric encryption key 940. In an embodiment, a copy of the symmetric encryption key 940 is present with a messaging server. The messaging server receives communication from the mobile device 120, decrypts the communication using the symmetric encryption key 940 and then forwards the decrypted communication in a secure manner.
[0066] The secure key storage module 950 stores public key-private key pairs associated with the mobile device 120. In an embodiment, the secure key storage module 950 includes sixteen key slots. The key slots store two types of keys: a weaker key type for authentication purpose and a stronger key type for non-repudiation purpose.
[0067] The ICCID storage module 960 stores the Integrated Circuit Card Identifier (ICCID). ICCID uniquely identifies Subscriber Identification Module (SIM) card internationally. In an embodiment, the public key is associated with a combination of the ICCID and the MSISDN.
[0068] The present invention makes electronic payments simple and short. In addition, the present invention provides for better security as the entities do not receive any financial information of the payee. Moreover, by shortening the span of electronic payment, the present invention reduces the probability of a network error happening during the electronic payment. Moreover, since the present invention does not rely on installing an application on the mobile device, it is memory efficient.
[0069] This written description uses examples to describe the subject matter herein, including the best mode, and also to enable any person skilled in the art to make and use the subject matter. The patentable scope of the subject matter is defined by the claims, and may include other examples that occur to those skilled in the art. Such other examples are intended to be within the scope of the claims if they have structural elements that do not differ from the literal language of the claims, or if they include equivalent structural elements with insubstantial differences from the literal language of the claims.